Posted
by
timothy
on Saturday June 18, 2011 @07:18AM
from the at-least-it-kills-clippy dept.

An anonymous reader writes "Researchers at Sophos have revealed that the MyDoom worm, which spread via email and launched denial-of-service attacks against websites belonging to SCO and Microsoft, is still spreading on the internet after more than seven years in existence. The firm suggests, tongue-in-cheek, that it would be nice if computer users updated their anti-virus software at least once every 5 years to combat the malware threat."

Yes, because there's never a legitimate reason to send/receive executables. My university does this stripping crap and it's annoying as hell. They even yank out archive files. I eventually had to switch to Gmail from the university system, because I would send a colleague a zip file and they would email me back that I forgot to send an attachment (or vice-versa).

A better option than blindly modifying emails is to look for virus signatures in the files. At least that way, you're only eliminating the things that are known to be harmful.

If only there were a dozen or so other ways to transfer potentially harmful data that coincidentally require user intervention.

E-mail is fine for passive data, but it's too easy for executables. Users should have to jump through some hoops when handling executables, just like chemists have to take extra precautions when handling unknown or potentially hazardous substances. Handling protocol requires you to slow down and treat the material differently. Sounds good to me.

Users should have to jump through some hoops when handling executables

Such as not running as root/Administrator? However, I know plenty of professional SAs who could take that advice; it's just easier to run that way and they (in theory) know how to deal with permissions.

Also, not all attachments are executable, yet most blanket exclude them all, so it eliminates one of the best ways to casually transport files. Worse, those that only go after attachments that appear to be executable miss some and create a false sense of security when dealing with them.

E-mail is fine for passive data, but it's too easy for executables. Users should have to jump through some hoops when handling executables, just like chemists have to take extra precautions when handling unknown or potentially hazardous substances. Handling protocol requires you to slow down and treat the material differently. Sounds good to me.

Like the infamous UAC messages of Windows Vista, which popped up whenever any application tried to do anything, and did nothing but annoyed people and conditioned

Modern computers don't have any security. Yes, this includes Linux, which isolates users from each other (to some extent) but doesn't give a single user any way of isolating his processes from each other and data.

Wrong about *nix, I'm not in a position to comment on Microsoft. But feel free to weasel your way out of incorrect sweeping statements. If I have to point you at the solutions it's because you've gone to considerable trouble to ignore them.

It's difficult to figure out what's happening in your system,

for you maybe - the rest of us have no problems. Be fucking hard to debug if we couldn't.

and it's impossible to roll back any changes, besides reformatting and restoring from a backup.

Wrong about *nix, I'm not in a position to comment on Microsoft. But feel free to weasel your way out of incorrect sweeping statements. If I have to point you at the solutions it's because you've gone to considerable trouble to ignore them.

I'm sorry, did I hit a nerve?

for you maybe - the rest of us have no problems. Be fucking hard to debug if we couldn't.

Modern computers don't have any security. Yes, this includes Linux, which isolates users from each other (to some extent) but doesn't give a single user any way of isolating his processes from each other and data.

Almost forgot - SELinux and AppArmor can do what you asked for - separate processes from filesystem objects..

And your university is broadly doing the right thing. (Though it's wholly unnecessary to yank archives unless they contain executables, any self-respecting mail scanner will be able to read more-or-less any archival format).

Scanning for "known-bad" things stopped being a good idea years ago. Frankly, unless you take a very hard line to block everything even remotely risky you are more-or-less guaranteeing a lot of clean-up work dealing with exploits. Every time something gets through, your staff can look forward to several hours of clearing up the resulting mess - and that's with a relatively small organisation.

Google have the resources to effectively crowdsource much of this, and they don't have to deal with the fallout of anything that slips the net.

What you should be doing is working with the system rather than against it - and the system should be set up to make it easy for you to do this. Services like yousendit.com are a rather more satisfactory solution for most endusers than an FTP server; I daresay a university should be able to put something similar together inhouse.

Please don't encourage those assholes. The spread of services that make their name include their TDL and come up with the rest of their name by describing what they do is one of the most irritating computer-related trends to come along in recent year. It might not be quite as bad if users didn't fall for it - "gotomypc.com? They can do that now? I'll try it, sounds useful!"

Absolutely. By blocking anything potentially dangerous, you end up with a safe organisation that isn't able to function well.Obviously, the I.T. guys see their own pain. But, the pain that excess security causes is widely distributed across space and time, and no one counts it all.

So, in this case, yeah, a virus is bad news. But, the question is, is a virus more lost productivity than 1000 people who are unable to send zip files?

But everyone here seems to be missing the forest for the large green things in the way. As a PC repairman that does this 6 days a week when you see an old worm that has been patched still running loose? Piracy, pure and simple.

You'd be amazed at how many machines I've seen with "XP SP2 Corporate Razr1911 Edition" or one of the variants. Hell more than half the machines on Craigslist are probably running pirated Windows, it is everywhere. Now since WGA will bite the person they sell the box to in the ass* t

You are on/., so I assume you have access to at least a website and the ability to upload files there. Copy and paste the URL.

As you are using email to send those files, security should not be an issue. If you want some minimal security, you could link to a page with a login and/or password. Several more methods are available to make it secure.

Yes, because there's never a legitimate reason to send/receive executables. My university does this stripping crap and it's annoying as hell. They even yank out archive files. I eventually had to switch to Gmail from the university system, because I would send a colleague a zip file and they would email me back that I forgot to send an attachment (or vice-versa).

A better option than blindly modifying emails is to look for virus signatures in the files. At least that way, you're only eliminating the things that are known to be harmful.

Yes we do know that is a a problem but "think of the children":)

On a more serious note. The best way is to take off the.exe or.zip or.whatever and send the binary as a simple file or even enclose the binaries in an compressed archive and take off the extension so you can send it. The problem is the person who is going to receive the binary must know how to put it into a format that is usable and it is amazing the number of people who have no idea how to do this even when you explicitly tell them in th

Because any security gateway worth its subscription fees will be scanning for file signatures and blocking anything that is 'malformed'. An encrypted zip file with no extensions will certainly attract attention on anything I've setup, just because of the risk that a user is trying to bypass something.

I hear from users and fanboys that Win7 is much more hardened than say WinXP

So my question is does this old virus still run on Win7?

If you actively run it and give it permission, yes. Since you mention fanboys, the Mac variety always claim malware doesn't count if users have to do that. Compared to XP it helps that Win7 have UAC, but the best defense against PEBKAC malware like this is running antimalware software like Security Essentials, which you also can do on XP.

If you really were interested, there is a lot of information out there about the security differences between XP and Windows 7, they are quite extensive (ASLR, DEP, UAC, i

Any malware that gets executed by the user and granted privileges runs on any system that the executable format it is in can run on. That's true for Windows 95, Windows 7, MacOS of any version and Linux of any flavor.

No system can defend against the stupidity of its owner. Unless the system is actually "protected" from its owner. For further reading, look up DRM and TCPA.

Maybe people should have to register their PC before they connect it to the Internet?? Maybe people should have to get a license to use a PC on the Internet? It might reduce the carnage on our roads ^H^H^H^H^H^H^ Internet....

Excuse me while I press my brown uniform and shine my jackboots, the DRM people are making me work overtime again:)

I'm not really happy with the idea of handing the government even MORE say of what I may do with my computer and what I may not, it's not like they already take more than enough liberties (pun intended) in this matter.

But how about a radical idea: Make people responsible for what their computers do. Make them legally liable if their machines spew out spam and participate in DDoSs, at least if a reasonable amount of precaution has been taken. I'm aware that you cannot easily defend against all threats out th

How about we actually hunt down and prosecute the people who release these viruses and use them to spam and DDOS

It is EXTREMELY dangerous to start attaching criminal responsibility to people who had no criminal intent and took no criminal action due to their victimization by (harder to catch) criminals. Eventually, the police would just stop trying to get the actual criminals (too hard) and would focus exclusively on the easy to catch victims.

Because the internet is an international world where national borders mean jack, while that's not the case with law enforcement. The people writing and operating malware rarely sit in the US or France. They usually hail from a country the name of which ends in -stan, where law enforcement gets a good chuckle out of it if you ask them to prosecute someone spamming or phishing in your country. They have real crimes to prosecute, and they don't give a rat's behind about your problems. I mean, do you care about

If the U.S. can start extradition for a college kid in the U.K. over a few LINKS to allegedly pirated material, we can find a way to get at massive crime syndicates in other countries attacking millions of citizens here. If some other country won't curb their criminals (at least to the point of keeping their crimes within their own borders), cut them off (or filter them heavily) until they change their minds.

The Senate can't seem to keep their machines secured, more than one police department has failed as

Well, if there was some kind of interest, then maybe. Sadly, there is no RIAA behind the anti-spam movement.

And you're right, taking full blame for the fallout isn't necessary, a fine in the vicinity of 100-500 bucks will keep people keenly interested enough to enable some brain cells before clicking every dancing monkey.

If there is no real interest, the only thing a law could do is permit the police and crooks( politicians if you prefer) to "do something" about the problem by persecuting the innocent and spending less resources than ever on the actual problem. Meanwhile, a zillion PCs all around the world will make sure the spam doesn't abate even slightly.

If there is adequate interest, they should go after the criminal organizations behind the bot armies.

Well if they are in Bumfuckistan nobody is gonna care if we just kill the pricks then, are they? These guys are scum, they cause billions in damages and lost hours, as a friend in the state crime lab has told me some are even using their infections to sell CP and not have it on their personal machines. these are true scum of the earth and frankly shouldn't be treated any nicer than we treat the mob or any other criminal org.

So take them out. If the country refuses to do shit, well there are plenty of grou

stupidity cannot be made illegal unless prisons can be made the size of countries and countries the size of prisons.

As per your example: if you leave your car or your home open and you are robbed, you don't have any criminal or civil responsibility. Unless you are prepared to visit your mother in prison, don't say such stupid nonsense.

Talk for your country. In mine, leaving your car keys in your unlocked car means trouble. Usually handled by a fine. Unless the car actually gets stolen and used in a crime, then you're actually liable for facilitation

Unfortunately, unlike with hookers, you don't know if the one spamming is the one who wants to sell. Under your law, if I want to put you out of business, all I had to do is to send out spam advertising your product.

I don't run antivirus software in the VM because the VM almost is never up, but I wonder about people using it for significant amounts of time on a non-firewalled system. XP versions before SP1 would get root'd by simply having internet access.

If spammers suddenly discovered that sending out millions upon millions of unsolicited emails generated no revenue whatsoever because nobody ever opened them, then spam would stop overnight as the spammers would have to go and find new ways to make money.

On the basis that spam has not stopped, I think it's safe to assume that there are still lots of people out there interested in buying viagra or bigger willies from some complete stranger on the other side of the world, even though

Stated in those terms, do you see now why it is perfectly feasible that there are computers out there with absolutely no virus checking on them that haven't been updated for nigh-on a decade.

You wouldn't believe how many systems I have worked on that have anti-virus installed that came with the system but hasn't been updated since the free trial expired. I really wish manufacturers would stop shipping systems with anti-virus software that is only good for 60 days. Almost nobody ever pays for the subscription after the trial expires.

Computers should be safe to operate without expensive add on software.

That's an interesting thought. How about "cars should be safe to operate without expensive add on software / hardware". Guess what? They are! It is the idiot drivers that crash the cars by going too fast in poor conditions, tailgating, and other poor decisions and unsafe usage. This is the same thing as with computers. All major operating systems ship now with security features in place that help to keep users safe. Firewalls (on by default), ASLR, DEP, etc. have become pretty standard. The thing that hasn'

the computer user runs untrusted code that was sent to them by strangers

Then how should code become trusted?

Often times they "have to install this special video codec to watch [insert celebrity name here] boobs". Not only do they install this "codec", they give it admin rights.

As I understand it, codec installers require the user to elevate because operating systems' multimedia frameworks offer no easy way to install a codec to a single user's account. Instead, codecs must be installed to the system for all users.

They claim you need to install a codec not because you actually need one, but because the vast majority of users have no idea what a codec is. They simply recognize it as some nerd term and take it as fact that they need it if they want to watch the video. The program that gets downloaded probably doesn't install a codec at all. It merely installs the virus. For that matter, the advertised video may not even exist. Sure, the user will get upset when they go though all that work and never get their vide

All major operating systems ship now with security features in place that help to keep users safe. Firewalls (on by default), ASLR, DEP, etc. have become pretty standard.

Buffer overflows in browsers, Flash, PDF readers, media players and more have all become pretty standard too. Merely browsing to a particular web site should not cause a computer to become overrun with malware, but sometimes it can.

Not necessarily. In a car, driving too fast, running a light, tailgating, etc are never appropriate.

Clicking OK is quite often the correct answer with a computer. You can't install software without it. The computer shouldn't make opening a data file and running an executable look and feel exactly the same.

No problem. We'll lock the computer down to the point where you may only install approved applications from an approved source. Sure, there'll be some exploits, but they'll be closed and you'll be forced to update (you automatically get them pushed onto your machine next time you connect to the internet, before any other connections are allowed). If a problem is detected your machine is shut down to prevent it from damaging other machines, the only connection possible is to the approved source and it will s

No problem. We'll lock the computer down to the point where you may only install approved applications from an approved source. Sure, there'll be some exploits, but they'll be closed and you'll be forced to update (you automatically get them pushed onto your machine next time you connect to the internet, before any other connections are allowed). If a problem is detected your machine is shut down to prevent it from damaging other machines, the only connection possible is to the approved source and it will stay that way until a fix has been pushed that ensures your machine is safe again.

Your ideas intrigue me and I would like to subscribe to your newsletter, please sign me up.

Seems to work for DHS... and it has worked for the aviation industry for more than 50 years.... Do you have any idea how many regulations exist today in aviation specifically because somebody tried doing it differently, and people died as a result?

Any time I'm asked to set up a new desktop or laptop PC for friends or family, the Norton Trialware in the first thing I remove and install free anti-virus like Microsoft Security Essentials or AVG.

I'm sick off TV ads where Symantec and other commercial security software vendors give the impression they are a one-stop solution to user ignorance with their over-rated bloated packages designed to do little more than to get you to hand over a credit card number for their subscription.

You wouldn't believe how many systems I have worked on that have anti-virus installed that came with the system but hasn't been updated since the free trial expired. I really wish manufacturers would stop shipping systems with anti-virus software that is only good for 60 days. Almost nobody ever pays for the subscription after the trial expires.

Yes I would believe since the PC's I have brought came with the wonderful 60 day virus scanner trial. My latest laptop (HP dv7 i7) came with Windows 7 however I just blew it away and installed Fedora 14 (now 15) and I use this machine for home and corporate use.

Before people say that using a private machine in a corporate environment can aid in espionage I would answer yes it can, but unless the firm you work for provides a corporate machine you have no choice but to use your own. Anyway there are so many

I'm not sure if it's true, but i have heard that a lot of the spam is a result of the spammers themselves being scammed. They find some less bright guy running some sort of shady small business and convince him that spam is a legitimate form of marketing. He buys into it and pays to send some spam. Whether or not it works at all, the spammers still make money. Which means that spam will keep going as long as there are no consequences for the spammers and there are stupid people running shady businesses.

These people don't care, the 3 applications they use (internet, mail, some word processor) are working and they're happy with that. Chances are they don't even notice how much of their CPU time is already clogged with trojan work since the tasks they want to run would require at best 10% of the CPU's capacity. Whether the trojan eats 50% or not, i.e. whether the idle task runs at 90% or 40%, they don't know, care or notice.

You're looking at someone like my dad in such a scenario. They have their set of pages they keep visiting, they have their set of people they communicate with and that's pretty much what they do with computers. If a flash app doesn't run, it does not bother them. They might even blame their "old" computer that it's not running right, but since it's nothing they're interested in, they just patiently wait for it to go away or search for the "skip" button. They're used to slow computers, chances are their mach

I don't run antivirus software in the VM because the VM almost is never up

That is like never using a condom, because you hardly ever get laid.The protection is not to protect the world from you. In first instance it is to protect you from the rest of the world. Only AFTER you are infected is it to protect the rest against you.

(I pull the trigger in Russian roulette, because there are almost no bullets in the pistol. What? Why should I use a revolver?)

XP versions before SP1 would get root'd by simply having internet access.

If I run a VM (XP or something else), that VM must have a different ip-address than the host, and to have internet access, there must be some kind of router or routing system. To reach the VM from the internet, port forwarding must be configured. Maybe the host IP is directly accessible from the outside, but the VM is not. Even if no firewalls are active, there is no way that the VM can be infected simply by starting it up and giving it internet access. So for an infection to occur, you need to start a browser to visit a website that infects the OS of the VM. (And of course the host could be infected, and then spread the virus to the local network, but that's something else.)

So can you explain how this VM will be infected after it started up without doing anything else on the machine?

I'm not kidding here, when you look at the current threats, you'll notice that most do not target exploits. Why should they? There is a very good reason not to target exploits but target the big layer-8 exploit sitting in front of the machine.

1. Exploits get fixed. Users don't.2. Exploits are sometimes hard to craft. It's way easier to create a "click here to see the pig dance" executable.3. It's easy to adapt social engineering to a new "exploit" (e.g. when a new catastrophe hits, "click here for gory details") rather than adapting an exploit to circumvent AV tools and patches.

If you're trying to break into a machine, use the biggest security hole that no software maker can ever patch: The user. Since most blanket attempts at phishing don't care whether they hit Joe Random over there or you, it wouldn't even matter if 90% of the users were smart enough not to click, it still wouldn't warrant the additional expense of writing code to exploit a security hole in the system.

Is this really any surprise to anyone? People still believe that Bill Gates is going to pay you for forwarding email. Most attacks (malware, trojans, viruses, etc.) feed on the ignorance of the average person. It's sad really, but I don't expect anything different 27 years later, much less 7.

Like in my analogy, your security does not only depend on how well you can handle your machine. You're dependent on others who you interact with. Avoiding shady, dubious pages is no longer a safeguard against infections, pages can be hijacked and they are, I've seen anything from hotel booking pages to phone registers hosting exploits. And since you do not control that page and have no control over its security, and since you won't find out whether it actua

The trade-off in performance for the most common used virus-scanning packages is huge and should be taken into consideration. Lately I've used co-workers new laptops that make my 5 year old Pentium-M with Ubuntu seem very fast by comparison.
In my experience with helping "friends" (people who find out I work with computers) with their computers, most of them have virus software installed that failed to detect the malicious software. And when I tried to remove it I had to try half a dozen scanners to find

If you really want to get people to run virus scanners (without making the scanner a virus itself) you'll have to make it beneficial to the individual. Create some really fun game and buried in the EULA mention that the program does a virus sweep each time it launches.

Make it like the Linux administration Doom port. Instead of showing running processes as enemies in Doom, make the malware appear as enemy combatants. You and the malware battle it out with either modern or futuristic weapons. Everytime you kill an enemy, that piece of malware gets destroyed. Everytime you lose a battle, the game deletes a random file on your filesystem...

Why should the average Joe care if a virus creates a DoS attack on Microsoft or SCO? all that he cares about (and he is right to do) is if his computer does the job he wants. If it is too slow, he can always service it or buy a new one.

Instead of blaming the people actually responsible for the mess (i.e. the developers of the virus or of the operating system that let this happen), it is the users that are blamed? WTF?

Actually, if you're a multi million dollar company you might not be able to upgrade from IE6. I know of such a company. Their main application that the whole company hangs on is written for IE6, with IE7+ unable to render it sensibly.

And yes, we're talking about a friggin' HUGE company here. Think Sony. Just big.

That was, in a nutshell, the answer I got. And that's also the reason why changes are unlikely to happen any time soon. It's working. Changing it costs at least 6, more likely 7 digits. No chance that you could get that kind of money to change something that "is working".